Even within the highly controlled environments of Apple’s and Google’s app stores, you can still find a plethora of two-factor authentication (2FA) apps that are either dangerously inept or blatantly malicious.
An Overwhelming Array of Choices
The issue lies in the sheer volume of such apps seemingly approved by Apple and Google, giving them an unwarranted stamp of quality. Naked Security (@mysk_co), recently delved into the world of authenticator apps and were astounded by their findings.
Tommy Mysk, one of the co-founders of @mysk_co, shared their insights via email:
“After Twitter discontinued the SMS method for 2FA, we analyzed several authenticator apps. We found numerous scam apps that looked strikingly similar, all tricking users into signing up for a $40/year subscription. Four apps had nearly identical codes, and one even sent every scanned QR code to the developer’s Google Analytics account.”
In a series of tweets, Tommy poses the question: How can even a tech-savvy user discern that their top search result for “Authenticator app” might be the one they should avoid?
These deceptive apps generally coax you into paying an annual fee of $20 to $40, roughly the cost of a reliable hardware 2FA token that would last for years and likely provide better security.
Beware of Imposters
Sophos Security search on the App Store led them to an app with a poorly written description, created by a company using the name of a well-known Chinese mobile phone brand. Despite its questionable quality, this app had made it onto the App Store. Initially, they thought they were looking at blatant company name infringement. However, upon a closer look, they realized it was a case of “typosquatting” – a deceptive tactic where a name is visually similar enough to mislead you at a glance. (Full article here)
On Google Play, the top hit was an app that @mysk_co had already flagged, warning that it not only demands unnecessary payments but also pilfers the initial secrets of the accounts you set up for 2FA.
Review Your Choice
If you’ve recently downloaded an authenticator app, particularly in response to Twitter’s recent announcement, it might be time to reassess your choice. If you find yourself paying a subscription, dealing with intrusive ads, or simply feeling uneasy about the app, consider switching to a mainstream app approved by your IT team.
Should you decide to change your authenticator app due to concerns about its legitimacy, remember to reset all the 2FA seeds for all the accounts linked to it. Be wary, as many of these questionable apps are used to steal user identities, trick you into downloading other apps, or even request bank information. Reach out if you need help.